Lloyd_Ardoin at ...9013... wrote:
>I tried using the same conf file that I had been using with the 1.9.0
>and 1.9.1 version. [ ... It didn't work ... ] so I modified the conf
>file that came with the 2.0.0 version to reflect the same information
>as the 1.9.1 conf file.
My experience is that Snort is a very dynamic piece of software, which
means that it evolves rapidly. Like natural systems, there are
evolutionary dead ends and it isn't always obvious in advance which
direction its development will take.
That means that when installing a new major revision of Snort, and some-
times even when putting in what appear to be minor updates, it's a good
idea to use the new version of the configuration file -- bearing in
mind that it will likely have new features in it *and* that some features
that were in the older version may have been altered or abandoned. Some
of the configuration data you carried over from 1.9.1 may be obsolete,
and this could be at the root of the behavior you observed. This is also
true of rulesets, by the way, in which acceptable syntax can change
between versions.
When I installed 2.0.0, I started fresh with the new snort.conf and the
new ruleset, and it's merrily alerting away.
We are creatures of habit, and I know I become accustomed to seeing the
alerts that a particular configuration and ruleset generate. I have
researched them, and know what they mean with respect to my system. That
makes me reluctant to exchange these for a new set which will generate
different alerts that will have to be researched anew, but I find that
it's the best practice.
By the way, if the version of 1.9.1 you're using isn't patched for the
recently-discovered stream4 integer overflow and you don't have that
feature turned off, then you've told the world that you're running a
vulnerable copy of Snort.
Best regards,
Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115